Secure API Gateways with authentication

[katjes733]

Currently all API Gateway methods do not require authentication and can therefore be accessed publicly. We need to ensure the methods cannot be invoked in an un-authorized way.

[katjes733]

A simple authorization can simply verify the JWT token coming from Teams. For that a lambda needs to import pyJWT, which can only be accomplished via lambda layer. To build a custom lambda layer in CFN, one requires a zip file with the requirements.
An idea is to create an S3 bucket, run a CodeBuild compiling the required dependencies and copy the output to the s3 bucket requires that CFN waits with the execution until the CodeBuild is complete, which can be accomplished as described here (or possibly using step functions) and then create the layer with the reference to the bucket. This all can be accomplished in CFN and would provide a neat integrated solution using CloudFormation only without the need for external dependencies.
A Prototype for an Authorizer can be found in delta account and API GW is configured for it: w-pasx-TeamsAuthorizer Lambda